Here's everything you need to know about the case
The Federal Trade Commission recently announced a settlement with Zoom Video Communications, Inc., one that will require the company to implement what the FTC deems a “robust information security program that will settle allegations that the video conferencing provider engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The video conferencing company agreed to execute a meticulous security program to guard its user-base long before the settlement when it enacted its 90-day security plan to combat intrusive acts such as Zoombombing. The lawsuit and settlement merely formalized Zoom’s efforts. On April 1, 2020, Zoom shifted all of its engineering resources to focus on safety and privacy issues, putting a 90-day freeze on all features not related to privacy, safety, or security. During the 90-day period, Zoom released over 100 features focused on user security.
Zoom launched Zoom 5.0, which was among the most impactful of the company’s releases and featured AES 256 GCM encryption. The company also released a feature that lets users report other users, set passwords for waiting rooms, and the ability to limit screen sharing. Zoom meeting hosts even gained the capacity to disable device logins, give unmute consent, enable cloud-recordings, and more.
During the 90-day period, Zoom acquired Keybase, a move that would help the tech giant realize end-to-end encryption and to offer customized data routing based on user-geography. Zoom is also said to have conducted a ‘comprehensive review’ with third-party experts and representative users to gain insight into its security challenges. The company prepared a transparency report that details information related to requests for data, records, and content, along with enhanced Zoom’s ‘bug bounty’ program. Further taking on security, Zoom launched the CISO council to facilitate a dialogue on security and privacy best practices.
The video conferencing firm even engaged in a series of white-box penetration tests to further identify security shortcomings and hosted a weekly webinar series to provide a progress report of sorts for Zoom users.
Months later, following legal proceedings, the FTC alleges, that as early as 2016, Zoom deceived users by stating that it extended end-to-end, 256-bit encryption. This was not the case, according to the FTC, with Zoom admitting as much back in April. In October, the video conferencing company did, in fact, deliver on its promise to extend end-to-end encryption to all users free and paid users, but only after facing backlash when the company wrote in a blog post full encryption would be for paid user accounts only.
The FTC further claims that Zoom maintained cryptographic keys, which let the tech giant access the contents of customer meetings, adding in a statement: “Zoom secured its meetings with a lower grade of encryption than promised,” continuing:
“Zoom’s misleading claims gave users a false sense of security, especially those who used its platform to discuss sensitive topics like health and financial information”
The statement further noted, “In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s video conferencing services.” Also, according to the FTC, Zoom misled some users who wanted to store recorded meetings in the company’s cloud repository when it falsely claimed meeting recordings were encrypted. “Instead, some recordings were allegedly stored unencrypted for up to 60 days on Zoom servers before being transferred to secure cloud storage,” the FTC wrote in a statement.
The FTC similarly claimed that Zoom jeopardized the security of some of its users when it stealthily installed the ‘ZoomOpener web server,’ along with a manual update for its Mac desktop application back in July 2018. The ZoomOpener web-server was a door in for the video conferencing company to automatically launch and join user meetings. “Zoom could have done so by circumventing an Apple Safari browser safeguard that protected users from a common type of malware.”
The complaint charges that in doing so, Zoom heightened the risk of remote surveillance by strangers, which could have led to instances like Zoombombing. According to the FTC, the software stayed on user computers long after they uninstalled the Zoom app and automatically reinstalled the Zoom app without users prompting it to do so under certain circumstances. “Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act.”
Apple eventually withdrew the ZoomOpener web-server from user computers via an automatic update in July 2019. I reached out to a Zoom spokesperson, who told me in a statement:
“The security of our users is a top priority for Zoom. We take seriously the trust our, users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs”
The statement continued by stating, Zoom is proud of the advancements its made to the video conferencing platform and it has already addressed the issues identified by the FTC, noting that the resolution with the FTC is in keeping with the company’s commitment to ‘innovating and enhancing’ its product as it delivers a secure video communications experience. There was no financial component to this settlement, although Zoom could face a $43,000 fine in the event of future violations of the FTC agreement.
Other tech companies have had similar complaints made against them. One such company is Microsoft, with Slack filing a grievance against the Microsoft Corporation back in July. In the official charge, Slack alleges that Microsoft ‘illegally’ padded its numbers to diminish the competition.
How is the collaboration giant alleged to have done so? Slack says that Microsoft ‘unfairly’ paired Microsoft Teams with its Microsoft 365 cloud-based productivity suite. Under European law, this could put Microsoft in breach of fair competition practices – if found to be liable. Apple is also facing a privacy case in Europe, over its iPhone tracking ID, a tool that lets advertisers track users without consent.
Increasingly, regulatory bodies on a global scale have beefed up their efforts to hold big tech’s feet to the fire regarding their actions when they are found to be in the wrong – a significant feat for users who value security and privacy.